Things to Know Before Developing Intelligence Requirements
By Mike Mimoso
To state the obvious, proper intelligence requirements must be in place before data collection, analysis, and consumption of intel can happen. These requirements are critical because they enable an organization to choose and prioritize its intelligence goals, determine what information it needs to collect and from what sources to achieve those goals, establish how it will process this information, and identify which dissemination methods are most appropriate for the finished intelligence it produces.
Intelligence requirements mandate some initial groundwork, however. The commercial sector, for example, has a much different starting point than its public-sector counterparts; a government agency may want to know all it can about an adversary targeting its network, while a financial services organization may be primarily concerned about getting those bad guys off its network—whomever they may be—and keeping them off.
This approach will guide how intelligence requirements are formulated as organizations attempt to understand and protect their infrastructure, lessen the attack surface a threat actor may target, and reduce exposure to risk.
Assets and Exposure
Building intelligence requirements that work for your organization requires a deep understanding of available assets and exposure through a comprehensive asset inventory and threat-profiling exercise, more so than a debate about how much software and people hours you will need to invest in order to address a threat. A much more fruitful discussion should be had about the specific information you need to collect to satisfy specific intel requirements.
For the commercial sector, this type of asset inventory and evaluation of internal assets and exposure in the context of adversaries’ tactics, techniques, and procedures must also include an understanding of threats to others in your industry, and tangentially against your supply chain, or others who store and execute upon the same types of data as your company. Being solely reactive puts organizations at an immediate disadvantage, not only with regard to incident response, but also with communicating potential risk to intelligence consumers and decision makers.
The More You Know…
Looking at this from a commercial business risk intelligence (BRI) perspective, intelligence requirements are derived from questions that need to be answered, and those questions should be formulated by those who will consume the subsequent intelligence, such as business leaders or analysts in a security operations center.
It’s too broad a question to ask whether there are hackers a business needs to be concerned with, because properly answering that question would require extensive, time-consuming data collection and profiling of active threat actors and could easily be over-taxing for analysts already overburdened with alerts. A more focused approach would be to first identify which systems are core to the business. Next, determine whether there are publicly disclosed vulnerabilities and/or attacks targeting those systems, understand the consequences of a breach of the data on those systems, and find out whether attackers are targeting others in your industry.
This level of insight can help an organization narrow its open web or Deep & Dark Web sources of information and focus only on core areas of concern, such as cybercrime, fraud-loss avoidance, emergent malware, disruptive attacks, or public exploits, for example. It also puts security analysts and decision makers in a position to be proactive about future threats and inform risk-based decisions.
Once there is an understanding of assets and exposure based on such specific and tailored questions, work on equally narrow intelligence requirements may begin. In the above examples, an organization may establish a requirement that certain threat-actor profiles be developed, or intelligence on only a handful of pertinent vulnerabilities and exploits be produced. If threat actors have used a zero-day attack against organizations running a previously undisclosed Adobe Flash vulnerability, and you’ve blocked Flash usage on employee devices, these incidents have little bearing on your operation.
This is the type of tactical, operational, or strategic intelligence organizations require to inform decisions and lessen risk. It all begins with intelligence requirements, and going a layer higher, the legwork required to support the development of viable intelligence requirements is challenging. It’s also worthwhile and supports the ultimate outcome for any security and risk team: preserve an organization’s resiliency and operational continuity.
Michael Mimoso brings over a decade of experience in IT security news reporting to Flashpoint. As Editorial Director, he collaborates with marketing, analyst, and leadership teams to share the company’s story. Prior to Flashpoint, Mike was as an Editor of Threatpost, where he covered security issues and cybercrime affecting businesses and end-users.
Prior to joining Threatpost, Mike was Editorial Director of the Security Media Group at TechTarget and Editor of Information Security magazine where he won several ASBPE national and regional writing awards. In addition, Information Security was a two-time finalist for national magazine of the year. He has been writing for business-to-business IT publications for 11 years, with a primary focus on information security.
Earlier in his career, Mike was an editor and reporter at several Boston-area newspapers. He holds a bachelor’s degree from Stonehill College in North Easton, Massachusetts.